HubSpot workflows are powerful tools for managing customer data and automation, but they come with security risks if not configured properly. Misconfigured workflows, outdated permissions, and unsecured integrations can expose sensitive data, disrupt operations, and lead to compliance violations. Professional HubSpot RevOps support can help mitigate these risks. Here's what you need to know to keep your workflows secure:
HubSpot Workflow Security Best Practices Checklist
If you need help securing your data architecture, you can book a technical call with our RevOps experts.
Role-Based Access Control (RBAC) helps limit access to workflows, ensuring users only have the permissions they need for their tasks. This approach reduces the chances of data loss, unauthorized changes, or accidental exposure of information. It also creates accountability by tracking which roles or users are responsible for specific actions within the system.
For example, a sales development representative might need access to view workflow performance data but shouldn’t have the ability to edit lead-routing logic. On the other hand, a marketing coordinator working on email nurture sequences will need different permissions than a RevOps manager overseeing the entire automation system.
In HubSpot, workflow access is managed through the CRM Tools section in the user permissions settings. Only Super Admins or users with "Add and edit users" permissions can adjust these access levels. To update workflow permissions for a user:
If your account is on the Enterprise tier, you can streamline this process by using permission sets (custom roles). These allow you to standardize permissions across teams, saving time when onboarding new hires. For instance, you could create "Workflow Manager" or "Workflow Viewer" roles and assign them to multiple users at once. Super Admins can create up to 100 permission sets per account. Keep in mind that changes to permissions may take up to five minutes to apply, and users will need to log out and back in to see updates.
It’s important to note that users building lead nurturing workflows will need the Marketing email Publish permission. Without it, "Edit" access alone won’t let them save emails for automation, a common issue that can disrupt workflow setup.
To protect sensitive workflows, you’ll need a careful strategy for managing permissions. Start by restricting Super Admin status to a small, trusted group, usually leadership or operations teams, to reduce the risk of major errors. For other users, permission sets can ensure consistent, pre-approved access levels across departments.
For users who don’t need editing rights, set their permissions to "View" only. This lets them monitor workflow performance without making changes. Those who need to create workflows should have the Workflows permission enabled under CRM Tools. Additionally, record-level access settings (All, Team only, or Owned only) can further control who sees sensitive data processed by workflows.
It’s a good idea to audit permissions every three to six months to keep them accurate as employees change roles or leave the company. If you’re using a Professional or Enterprise plan, the "Compare access" feature can help you identify differences between user roles and ensure no unauthorized users have editing privileges. Regular reviews also prevent former employees from retaining unnecessary Super Admin access.
These RBAC measures lay a solid foundation for the security practices covered in the next sections.
Once role-based access is in place, adding Two-Factor Authentication (2FA) and Single Sign-On (SSO) provides an extra layer of security for workflows. These tools are essential for protecting access. 2FA adds a second verification step on a separate device, making it harder for attackers to compromise accounts, even if passwords are stolen. On the other hand, SSO simplifies access management by letting users log into multiple systems with a single account, making authentication easier while maintaining better control.
For HubSpot Starter, Professional, and Enterprise accounts, 2FA is required for all users signing in with a username and password, and it cannot be turned off. When both SSO and 2FA are active, users logging in through SSO typically bypass HubSpot's 2FA, though it remains in place for any direct login attempts using HubSpot credentials.
To enable 2FA, users should go to Settings > General > Security, click Set up two-factor authentication (2FA), and follow the steps to connect a passkey, authenticator app, or phone number. HubSpot recommends passkeys or authenticator apps like Google Authenticator or Duo over SMS-based 2FA for stronger protection.
Super Admins can enforce 2FA for all users by navigating to Settings > Security > Login and switching the Require Two-Factor Authentication (2FA) toggle to On. Once activated, users have a 24-hour grace period to set up their 2FA method before being required to use it at their next login. To make repeated logins easier, users can select the "Remember me" option during the 2FA prompt, which prevents secondary code requests on that device for 28 days.
Admins can also tailor 2FA settings to meet company policies. By enabling Approved 2FA methods, they can specify which options - Authenticator apps, text messages, or the HubSpot mobile app - are allowed. During setup, users should download or print backup codes to ensure account access if their primary device becomes unavailable.
Pairing these measures with SSO can help streamline and secure access even further.
HubSpot supports Security Assertion Markup Language (SAML) 2.0 for SSO, enabling authentication data to pass securely between your Identity Provider (IdP) and HubSpot. SSO is available for Professional and Enterprise subscriptions and works with popular providers like Okta, OneLogin, and Microsoft Entra ID.
To set up SSO, go to Settings > Security > Login, click Set up under Configure single sign-on (SSO), and either upload your IdP's XML metadata file or manually enter the Issuer URL and Certificate. Ensure the X.509 certificate is in PEM format with the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers, and verify that your IdP uses the SHA-256 signing algorithm.
After confirming the connection through the Verify option, Super Admins can require all users to log in via SSO by checking the Require single sign-on box. The Manage exempted users feature allows certain individuals, such as contractors or partners, to log in using standard HubSpot credentials. To avoid being locked out during IdP downtime, it's crucial to exempt at least one Super Admin from the SSO requirement.
| 2FA Method | Free Tools | Starter | Professional | Enterprise |
|---|---|---|---|---|
| Passkeys | ✓ | ✓ | ✓ | ✓ |
| Authenticator App | ✓ | ✓ | ✓ | ✓ |
| SMS Message | - | ✓ | ✓ | ✓ |
After setting up strong access controls like 2FA and SSO, the next step in securing workflows is protecting the data itself. Encryption plays a critical role here. HubSpot uses dual encryption to safeguard data both in storage and during transmission. This ensures that even if data is intercepted or accessed, it remains unreadable.
With the global average cost of a data breach hitting $4.88 million in 2024, encrypting customer data is no longer optional. HubSpot employs industry-standard encryption protocols to address this risk. Let’s break down how these systems work and their role in keeping workflow actions secure.
HubSpot secures data at rest using AES-256 encryption, a standard trusted by banks and government institutions. For data in transit, HubSpot relies on TLS 1.2 or higher (HTTPS-only) to protect all transmissions, including API calls. This means your workflow data is automatically encrypted without requiring additional setup.
For Enterprise users, HubSpot offers application-layer encryption. By marking properties as "Sensitive" or "Highly Sensitive", you can add an extra layer of protection for critical data like social security numbers or financial records. When a property is labeled "Highly Sensitive", users must manually decrypt the value before viewing or editing it in the HubSpot interface.
"Marking a property as sensitive adds an additional layer of encryption, application layer encryption, which gives individual accounts and their Sensitive Data increased protection and isolation." - HubSpot Knowledge Base
Sensitive data properties can still be integrated into workflows for enrollment triggers and AND/OR branches. Personalization tokens in the "Edit record" action can copy values from sensitive data properties, but HubSpot restricts certain actions - like "Copy property" or "When an Event occurs" triggers - for these fields to maintain security.
To ensure security, restrict access to workflows involving sensitive data. Super Admins should routinely check the audit log to track user actions related to sensitive data. For HIPAA compliance, designate the "Health/Medical Data" category in HubSpot settings and confirm your status as a HIPAA-covered entity to activate the Business Associate Agreement (BAA).
Securing data during transfers is just as important as protecting it at rest. HubSpot ensures encryption during transmissions and maintains SOC 2 Type II and SOC 3 compliance, which verify the effectiveness of its security controls. However, when connecting HubSpot workflows to third-party tools, additional precautions are necessary.
For third-party integrations, always use OAuth 2.0 instead of static API keys. OAuth tokens are more secure because they are scoped, time-bound, and revocable without disrupting other integrations. Before connecting an app, confirm it requests only the permissions it needs - this follows the Principle of Least Privilege. If sensitive data workflows are accessed via API, specific OAuth scopes like crm.objects.contacts.sensitive.read or write are required.
Perform security reviews of third-party tools to ensure they meet GDPR or HIPAA encryption standards. HubSpot’s "Check recommendations" feature in the Sensitive Data tab can help identify and resolve potential security gaps. Set a routine - such as monthly - to review audit logs for any unusual activity or unauthorized changes to sensitive workflows.
| Encryption Type | Standard Used | Purpose |
|---|---|---|
| In Transit | TLS 1.2+ / 1.3 | Protects data moving between the user's browser/API and HubSpot |
| At Rest | AES-256 | Secures data stored in HubSpot databases and backups |
| Application Layer | Extra Encryption | Adds isolation for "Sensitive" and "Highly Sensitive" properties |
For organizations in the EU, HubSpot provides data residency options to keep data within the European Union, supporting GDPR compliance. Once Sensitive Data settings are enabled, uploaded files - whether in records, notes, or forms - receive an additional encryption layer. These files cannot be shared externally without proper authentication.
Next, we’ll explore how to monitor and audit these secured workflows to maintain ongoing compliance.
Third-party integrations can expand HubSpot's functionality, but they also come with potential risks if permissions aren't handled carefully. For instance, one client discovered that a third-party app was silently syncing their contact database to an unused tool. These issues often go unnoticed until they result in major consequences, such as data breaches, compliance violations, or disruptions in workflows.
To reduce these risks, it's essential to control each app's access to your data. Many apps request more permissions than they actually need. Before connecting any tool, review the data it requires and limit access based on the Principle of Least Privilege. For example, an app that only needs to read contacts shouldn’t have permission to modify deals. Also, evaluate the app’s security practices before setting up permissions.
Start by checking for the HubSpot Certified App badge in the Marketplace. Apps with this certification have passed HubSpot's thorough review process, which evaluates security, privacy, reliability, and performance. Certified apps are required to meet specific criteria, such as maintaining an API success rate above 95% and having at least 60 active installs from unique production accounts.
Review the app's requested data permissions. HubSpot separates permissions into "Required" and "Optional." While required permissions are necessary for the app to function, optional ones can often be turned off to minimize data exposure. For example, if an app requests access to sensitive data that isn’t relevant to your workflow, disable those permissions.
Ensure the app uses OAuth 2.0 for authentication instead of outdated API keys. OAuth generates short-lived tokens that expire every 30 minutes, making it more secure. Check the app’s documentation to confirm it follows modern authentication standards and offers clear pricing that aligns with its official website.
If you're working with custom integrations or private apps, take extra precautions. Use HubSpot's Connection Insights to monitor daily record events for these apps.
| Certification Criteria | Requirement Detail |
|---|---|
| API Success Rate | Must exceed 95% |
| Active Installs | Minimum of 60 unique production accounts |
| Authentication | Must use OAuth authorization code flow |
| Domain Verification | Must be tied to a verified domain |
| Recertification | Required every two years to maintain certification |
Once you’ve verified the app’s security, proceed to configure its permissions within HubSpot.
After evaluating an app, configuring its permissions is the next step. Use the "Approved apps" feature (currently in Beta) to pre-approve Marketplace apps before non-admin users can install them. Super Admins can review the app’s data access during the approval process. While required permissions cannot be changed, optional ones should be disabled if unnecessary for your workflow. For example, an email verification tool doesn’t need access to deal records or company data.
Limit app installation rights to "Admins only" or specific users instead of allowing access to everyone. This ensures that only authorized personnel can connect new tools. Additionally, enable automated notifications for app installations, disconnections, and uninstallations.
For workflows involving custom code, store Private App tokens securely as secrets rather than embedding them directly in the code. Each private app should have its own narrow set of permissions instead of using a broad token shared across multiple tasks.
"Each private app will have its own set of scopes, so you can make sure that each job is limited to the specific permissions it needs" - David Adams, HubSpot's Developer Blog
Conduct quarterly audits of all connected apps, super admins, and private app scopes. Use the "Automation Insights" tab to identify active app actions in workflows and flag unused ones. Tools like the Breeze AI Assistant can simplify this process by identifying apps that haven’t synced data in the last 30 days.
If an app is no longer needed, use the "Revoke Approval" feature to uninstall it across your organization automatically. For apps receiving data from HubSpot workflows via webhooks, always implement signature validation (v3 HMAC SHA-256) to verify the legitimacy of requests and prevent spoofing.
Finally, replace any legacy API keys from 2022 or earlier with Private Apps. Older keys allow unrestricted access and pose significant security risks. For workflows handling sensitive information, ensure you use specific scopes like crm.objects.contacts.sensitive.read or write.
Even the most secure workflows can develop weak points over time as team structures change, campaigns wrap up, or new properties are added. Regular audits are essential to ensure that the security measures, like RBAC and access controls, implemented earlier remain effective. Without consistent oversight, workflows can drift into inefficiency or even create vulnerabilities.
"The drift happens after go-live, quietly, while everyone is focused on hitting number." - VEN Studio
Audits often uncover surprising inefficiencies. For instance, 30–40% of workflows in mature systems can become redundant, broken, or outdated, reducing the value of the CRM system. One example involved a HubSpot portal with 340 active workflows, where 47 (nearly 14%) were broken and misfiring without the operations team noticing. Additionally, workflows left inactive for over a year can pose risks like exposing sensitive data or misrouting leads.
To get started, export your workflow list by type and status. Focus on workflows that haven't been updated in over 180 days but remain active and continue enrolling contacts. Pay extra attention to workflows last updated by former employees.
Next, review the Performance tab for each workflow. This helps identify errors and overlapping property changes that could lead to race conditions. Keep an eye on sudden spikes in enrollment, as these might signal a security issue.
Plan to conduct audits quarterly. During these reviews, examine newly created workflows, check error logs, and ensure that logic hasn't drifted. While a manual audit can take 40–60 hours for a portal with 100–200 custom properties and over 50,000 records, automated tools can cut this diagnostic time to under five minutes.
When cleaning up, temporarily deactivate workflows for two weeks before archiving them. If no disruptions occur during this period, archive them instead of deleting them outright to retain historical data. Use a clear and consistent naming convention, such as [Type] - Description - Date, to make it easy to understand what a workflow does and who owns it.
Once you've identified issues through audits, activity logs can help trace their origins.
HubSpot's Audit Log (accessible under Settings > Tracking & Analytics > Audit Log) is a powerful tool for spotting unusual activity. Super Admins can view a centralized record of user actions, making it easier to troubleshoot changes and monitor security.
For individual workflows, the Revision History tool provides a detailed record of what changes were made, when, and by whom. You can filter this data by date, event type (e.g., enrollment trigger changes), and user. If something seems off, the "Revert" button lets you restore a previous version - though this feature doesn't apply to webhooks or custom code.
The Security Activity view highlights high-risk actions, such as changes to SSO or 2FA settings, contact exports, and admin permission modifications. Login history tracking adds another layer of oversight, showing successful and failed login attempts with details like IP addresses, locations, and devices for both web and mobile access. Audit logs typically cover the last 30 days, while login attempts can be reviewed for up to 90 days using the API.
For added protection, set up real-time email alerts for critical events. For example, you might want notifications for bulk exports or changes to admin permissions. Enterprise users can use the "Workflows" filter in the centralized audit log to pinpoint automation-related changes. The "Analyze" tab offers visual charts of user activity trends, helping to spot unusual behavior like spikes in deletions or exports.
Managing who can view and modify workflow properties is essential, especially for companies handling sensitive information like customer payment details or proprietary data. Field-level security helps restrict access to these sensitive fields, adding an extra layer of control to your existing security setup.
This feature is available for Enterprise subscriptions across all HubSpot Hubs, and only Super Admins can configure these restrictions. However, keep in mind that restricting a property affects workflow functionality - users won’t be able to use restricted fields as filters or view them in workflow actions.
It's important to note that field-level edit permissions don’t apply when records are modified through workflows, imports, or APIs. For example, a workflow can update a restricted field even if the user who created it lacks edit access. Because of this, HubSpot advises limiting access to the workflows tool when dealing with sensitive data.
"This feature doesn't provide complete restricted access. All users, regardless of access, can set or edit restricted properties via HubSpot's API, or when manually creating a record." - HubSpot Knowledge Base
There are some limitations to consider. Certain default properties, such as Email, First Name, Last Name, and Lifecycle Stage, cannot have their view access restricted. Additionally, properties marked as "Sensitive Data" cannot currently support "Copy property" actions or "When an Event occurs" enrollment triggers in workflows.
To configure field-level permissions in HubSpot, follow these steps to ensure your sensitive workflow properties are secure:
HubSpot offers four primary access levels for field permissions:
When assigning permissions, use the "Teams" tab to manage access for groups instead of individuals. This approach simplifies administration as your organization scales. Keep in mind that granting access to a child (nested) team also extends access to the parent team.
For properties marked as "Sensitive Data", Super Admins can monitor access and changes using a dedicated audit log. You can also track unauthorized modifications through the "Last Modified By" property and the Security Activity log under Settings > Security Activity. To prevent sensitive data from being included in email notifications, go to Security > Sensitive Data and disable the "Display full content in notification emails" option.
| Access Level | View Permission | Edit Permission |
|---|---|---|
| Private to Super Admins | Super Admins only | Super Admins only |
| Allow everyone to view | All users | Super Admins only |
| Assign: View and edit | Selected Users/Teams | Selected Users/Teams |
| Assign: View only | Selected Users/Teams | Super Admins only |
| Assign: No access | Super Admins only | Super Admins only |
When working with HubSpot workflows, securing custom code and API integrations is essential. While these tools expand HubSpot's automation capabilities, they also introduce potential risks if not managed carefully. For instance, 80% of security breaches involve exposed credentials, and 43% of data leaks result from compromised API credentials. To ensure safety, you must validate every request, sanitize inputs, and protect authentication tokens.
HubSpot’s custom code actions operate on AWS Lambda, with strict execution limits. This setup demands efficient, secure code that handles errors gracefully without revealing sensitive data. Since 60% of API vulnerabilities stem from poor input sanitization, validation is your first and most critical defense.
Before deploying custom code in production, set up a local testing environment. Mock objects like the event and callback functions to debug efficiently. Tools such as webhook.site can help by letting you inspect payloads and test responses without affecting live data.
Input validation is non-negotiable. Use libraries like JSON Schema or Joi to enforce data types and filter out unexpected characters, reducing the risk of injection attacks. Additionally, validate the X-HubSpot-Signature-v3 header using HMAC SHA-256 and your client secret to confirm requests are genuinely from HubSpot.
"Always validate signatures before processing webhook data. Never trust incoming requests just because they hit your webhook endpoint." - HubSpot Developer Blog
To protect against replay attacks, implement timestamp validation. Reject requests with a X-HubSpot-Request-Timestamp older than 5 minutes, and use constant-time string comparison methods, like crypto.timingSafeEqual in Node.js, to avoid timing attacks.
Also, keep external API call timeouts under 15 seconds to stay within execution limits. Sanitize error responses to avoid exposing raw API payloads or stack traces, returning generic error codes instead. This minimizes the chances of attackers exploiting system information.
| Feature | Best Practice | Security Benefit |
|---|---|---|
| Authentication | OAuth 2.0 with Scopes | Restricts access to only necessary data |
| Data Transit | TLS 1.2 or higher | Prevents eavesdropping and man-in-the-middle attacks |
| Storage | AES-256 Encryption | Secures tokens at rest in databases |
| Validation | Allowlists (not blacklists) | Limits attack surface by defining acceptable input |
| Logging | Metadata only (no PII) | Enables auditing without exposing sensitive data |
Once your code is secure, the next step is to manage API keys and OAuth tokens correctly.
One golden rule: never hardcode API keys or OAuth tokens into your code. Instead, store them as secrets in the HubSpot UI and access them via process.env in your custom code. Ensure you manually assign which secrets are accessible for each action; otherwise, they’ll return undefined during runtime.
Use the latest OAuth v3 (2026-03) endpoints, which move sensitive parameters like client_id and client_secret to the request body instead of query strings. This avoids exposing them in server logs. For secure storage, rely on tools like AWS Secrets Manager, Google Cloud Secret Manager, or HashiCorp Vault, using AES-256 encryption for added protection.
HubSpot access tokens expire every 30 minutes, so implement automatic refresh logic. Refresh tokens about 5 minutes before expiration to avoid workflow interruptions. If you’re working in a multi-server setup, use distributed locking (e.g., Redis with Redlock) to prevent multiple servers from refreshing the same token at the same time.
To further minimize risk, apply the principle of least privilege by limiting OAuth token scopes to only the permissions required for each task. This approach can reduce data exposure risks by up to 75%. Additionally, rotate API keys regularly - 30% of organizations fail to update keys after integration updates, leaving them vulnerable.
For multi-tenant applications, associate tokens clearly with specific portal_id or hub_id to prevent cross-account data access. Finally, respect rate limits by using exponential backoff strategies when retrying failed API calls. This avoids unintentionally triggering denial-of-service scenarios.
Securing HubSpot workflow automation requires constant attention. As your team expands and the number of integrations grows, it’s easy for security settings to spiral out of control. A once-secure system can quickly become exposed without regular upkeep.
The key steps are simple yet essential: restrict Super Admin access to just 1–3 trusted individuals, require Two-Factor Authentication (2FA) or Single Sign-On (SSO) for all users, use HubSpot's encryption features to classify sensitive data, and avoid hardcoding credentials into workflows or scripts. These aren’t optional - they’re the backbone of a solid security plan.
Routine reviews are equally critical. A quick monthly review of new users (15 minutes), a quarterly check of permissions and connected apps (30 minutes), and an annual in-depth security audit can help you identify and resolve vulnerabilities before they become serious problems. Additionally, deactivate users who haven’t logged in for over 90 days, disconnect unused third-party apps, and keep an eye on Enterprise audit logs for unusual activity.
For B2B SaaS companies, your HubSpot portal is more than a CRM - it’s a repository for revenue data, product usage insights, and automation logic that drives your competitive edge. Safeguarding this information isn’t just about meeting compliance standards; it’s about protecting the core of your business operations. By integrating strong RBAC, 2FA, and regular security checks into your processes, you can ensure your workflows remain both scalable and secure.
To ensure secure workflows in HubSpot, you need to authorize the app using the automation scope. If your workflows involve sensitive data, make sure to request extra scopes tailored to the type of enrolled record. This approach helps restrict access to only what’s essential for your workflows.
To avoid lockouts when implementing SSO in HubSpot, it's smart to exempt certain users, such as administrators, who might require direct login access. This provides a safety net in case the SSO system becomes unavailable or is set up incorrectly. Before enforcing SSO, make sure to thoroughly test the setup to confirm the connection is functioning properly. By carefully managing exemptions and testing the configuration, you can reduce risks while keeping access secure.
Actions that deal with sensitive properties - like creating, updating, or deleting workflows - come with strict restrictions. Accessing sensitive data, such as enrolling records or retrieving enrollment and performance data linked to these properties, requires specific scopes and proper authorization. Always follow the correct authorization protocols and limit access to sensitive data within workflows to maintain compliance.